Malicious PDF — malware analysis report

Static analysis result for SHA-256 32b1d45e6db496e5…

MALICIOUS

PDF

72.2 KB Created: 2021-03-16 23:52:57 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 069d0fb771b681b424e57a68e38af1b9 SHA-1: 2bbea0fff312357c85209e920f34615af6c854d8 SHA-256: 32b1d45e6db496e52896d8274f5a667f4720bc0c300dad5616aae500566e5a78
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a malicious intent to manipulate search engine results or redirect users to potentially harmful content. The presence of a 'ML_NYX_PDF_MALICIOUS' flag and ClamAV detection further supports its malicious nature. While no scripts were explicitly extracted, the structure and link farm indicate a phishing or malicious redirection attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xezojetit.ru/strik?utm_term=vaporesso+renova+zero+care+vape+pod
    • https://cdn.sqhk.co/tawavumazo/hgugcij/25284206825.pdf
    • http://ladirojenovezoj.mygamesonline.org/oxford_afrikaans_dictionary.pdf
    • https://belikonanobos.weebly.com/uploads/1/3/4/6/134610264/vukapaziratenal.pdf
    • https://rojimabilaraxum.weebly.com/uploads/1/3/5/3/135314729/12e3d5c06b8206.pdf
    • https://cdn.sqhk.co/naxupowu/2ohcjjr/stack_crash_drop_fall_ballot.pdf
    • http://vimobewawulipiz.mypressonline.com/nudegateganasak.pdf
    • https://cdn.sqhk.co/pigajifaw/QGTf1hh/pacman_costume_shirt.pdf
    • http://motarojetox.sportsontheweb.net/41802950373.pdf
    • http://xutexukoxobofi.mywebcommunity.org/describe_how_the_3_branches_of_government_work_together.pdf
    • https://dudasajaje.weebly.com/uploads/1/3/4/3/134362454/kufirekikamo-pojinodevaku-vanaxupavajo-jesifuvev.pdf
    • https://cdn.sqhk.co/libegavezu/2lhaHvy/como_se_dice_mi_musica_favorita_en_ingles.pdf
    • https://cdn.sqhk.co/tavaxiwugo/dtn9fIy/pivebetofuterajewuvotapim.pdf
    • https://xibagepop.weebly.com/uploads/1/3/1/4/131438114/42e692f1b.pdf
    • http://bisapusid.mypressonline.com/subarachnoid_hemorrhage_guideline.pdf
    • https://nonililuwadev.weebly.com/uploads/1/3/4/3/134354571/giganekaxufizit-wasik.pdf
    • http://gedozudusinap.mygamesonline.org/30925051364.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://nitubak.atwebpages.com/81230300865.pdf
    • https://uploads.strikinglycdn.com/files/7e67712a-e3b3-41f6-95d0-7a423e722973/meeting_room_booking_system_office_365_tablet.pdf
    • https://uploads.strikinglycdn.com/files/78bf5cb5-1e99-4487-92d1-b949e81900fb/60630277518.pdf
    • https://s3.amazonaws.com/wamatasamegu/teamwork_interview_questions_and_answers.pdf
    • https://uploads.strikinglycdn.com/files/67414650-9360-4427-b498-4b6a1549cf53/nike_air_force_1_low_valentines_day_2005.pdf
    • https://uploads.strikinglycdn.com/files/6ec8e1a5-8a5b-4d5d-bde9-22b735f7d5ad/6442307013.pdf
    • https://s3.amazonaws.com/tupofelasujewas/linus_and_lucy_sheet_music_trombone.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d848.bin
c4f06bc20c529645f5009ea2e1fd0aa8190ff49689c46fd5bf8e807bbc0c4cee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD848 5112 bytes
font_01_sfnt_off0000e9cc.bin
3e8497ef94b5fcb70862af9c4fc9ee59cb913ed1c7aa685869e3590a871732d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9CC 11512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.